IoT Cybersecurity Startup Landscape (Part 1) — Connected Vehicles

Image for post
Image for post
Source

State of the Market

The internal computational structure of autonomous and connected vehicles is largely coordinated through electronic control units (ECUs), which are frequently connected via a controller area network (CAN) “bus,” which acts as a type of backbone for electrical signals to pass between ECUs. A modern vehicle operates dozens of ECUs that manipulate everything from wipers, breaking and even steering. With the application of partial vehicle autonomy, computers increasingly perform a number driving functions for the driver.

Jus to give you an idea — an average vehicle nowadays typically run on 20–30 million lines of code on 50–60 electronic control units (ECUs) and more than 80 microprocessors within a vehicle, controlling everything from the infotainment system to critical software and powertrain functions. Luxury vehicles may contain up to 50 million lines of code and 100 ECUs.

Technology advancements have created new problems

Image for post
Image for post
Source

Popular attack vectors include remote keyless entry systems, manipulation of control car systems and data breaches. While some introduce low physical risk, such as the unlock function which is mainly responsible for theft or damage to the vehicle, others are categorized as critical safety and can have a real and devastating impact on human lives (i.e. taking remote control of a car while it is driving at really high speeds).

Upstream Security’s repository of reported automotive cyber incidents targeting the smart mobility ecosystem shows a rapid growth in cyber-attacks in the last few years.

Image for post
Image for post
Source

Stakeholders are unprepared

A big problem is that security vulnerabilities are being assessed far too late in the product release process, with less than half of companies assessing them in the design phase or the development and testing phase. Most common security activities in industry shows that cybersecurity isn’t being fully integrated throughout the system development life cycle. Over a third of the industry is not using accepted secure software development life cycle (SSDLC) practices, leading to vulnerabilities in new technologies and components

Regulations

The recently passed UNECE/WP.29 regulation demands automotive organizations to secure software updates and detect them within the lines of code of each vehicle software. This requires manufacturers to understand their software’s behavior and present data to comply with regulation. OEM’s that don’t comply with the new regulation will face a wide range of consequences including trade barriers.

Nevertheless, since UNECE/WP.29 doesn’t include specifically how regulatory requirements need to be met, OEMs can implement different mitigation strategies and use standards such as the ISO 21434 to showcase regulatory compliance. The ISO/SAE 21434 is a baseline for vehicle manufacturers and suppliers to make sure cybersecurity risks are effectively managed. The standard provides a cybersecurity framework with the goal of ensuring user safety and driver security.

What are the solutions offered by startups?

  • Pre-Market: solutions that help secure firmware, hardware-level components and supply chains for connected vehicles. This includes providing compliance, licensing and governance to stay up-to-date with the latest market changes.
  • Post-Market: post-deployment solutions that provide ongoing monitoring of cyber risks in connected vehicles. These detect and protect networks and devices against threats by using real-time threat intelligence, continuous monitoring and risk mitigation strategies.
Image for post
Image for post

Ending Remarks

Unfortunately, this market hasn’t taken off. The automotive cybersecurity industry is still at its infancy as corporations are still in the education phase. Still, I expect to see more consolidation of the market as it matures in the upcoming years, as we’ve already seen so far. Some important past acquisitions include the following:

Image for post
Image for post

These acquisitions have been undertaken by organizations looking to secure their own smart mobility ecosystems. Moving forward, I believe acquisitions will be led by IoT cybersecurity companies looking to expand their footprint into the automotive cybersecurity sector, once this market matures more. Similar to enterprise security, this won’t be a winner-take-all market. Instead, there will be category winners for different layers of the connected car. Since automotive cybersecurity technology is still at its infancy, it remains unclear what type of approach will get good market traction.

In Part 2 of this four-article series, I’ll be covering the state of the medical device cybersecurity startup market.

Special thanks and shout-out to my colleague Ravi Mulugu, who provided me with insights to bring this piece together.

Feel free to add me and message me via LinkedIn — I’m always happy to exchange thoughts: https://www.linkedin.com/in/dennisfromperu/

Disclaimer: This blog represents solely my own opinions, not my employer’s.

Investor at UL Ventures. LatinX. Salsa Dancer. VC Trends. A personal blog for the curious mind.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store